Iranian Threat Actors Use Password Spraying And MFA Push-Bombing To Hack Organizations In Critical Sectors

October 17, 2024October 22, 2024 Wyatt Cyber Security and Cyber Crime, Data Privacy & Security Brute Force Credential Access, CISA Cybersecurity Advisory, Cyber Security, cybersecurity, Iranian Cyber Threat Actors, MFA, MFA fatigue, password spraying MFA push-bombing, security, technology

Written by: Kathie McDonald-McClure

On October 16, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the National Security Agency (“NSA”) issued a Joint Cybersecurity Advisory warning that threat actors from Iran are using “password spraying” and Multi-Factor Authentication (MFA) “push-bombing” (also called “MFA fatigue”) to gain access to organization networks and web-based applications in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

With password spraying, the threat actor creates a list of usernames and then tries to login to each account with a single commonly used password. If the attempt fails, the attacker moves on to a different common password and tries again until they get a hit. Even with MFA, using a strong password in the first instance can impede a threat actor’s further attempts to gain access via MFA push-bombing.

With MFA push-bombing, the threat actor sends a legitimate user’s smartphone a large number of MFA push-notifications, hoping that the user will click on one to stop the barrage. Once the threat actor gains access to an account, they frequently register their devices with MFA to enable persistent access to the environment via a valid account.

The use of MFA push-notifications to a smartphone in the absence of a second form of authentication (e.g., entering a code in an Authenticator app) is particularly vulnerable to the use of brute force and credential access. Does your network or any of your web-based applications rely solely on a push notification to gain access? Specifically, if access to your network or a web-based application can be gained by a mere click on a link in a SMS or email message, or by answering a call to a mobile device and there is no second method of authentication before permitting access, talk to your IT team or the vendor of the web-based application about strengthening the authentication method.

Regularly review your password policy to ensure it is up-to-date with best practices. Ensure users in your organization are educated on the password policy. Also, educate permitted users on the network and web-based applications on the techniques used by threat actors to gain access via weak and reused passwords. Ensure users understand the criticality of denying MFA push-notification requests that they did not generate.

Talk to your IT team today regarding the Joint Cybersecurity Advisory on the threats to weak passwords and MFA methods. As recommended in the Advisory, implement exercises, tests and validate your organization’s security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Advisory (e.g., Modify Authentication Process: MFA and MFA Request Generation).

We regularly work with clients to assist in preparing or updating applicable IT information security policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.

HHS Adds New Teeth to Information Blocking Law for Health Care Providers

July 3, 2024October 17, 2024 Kathie McDonald-McClure Cures Act and Program Interoperability, Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use Accountable Care Organizations, ACOs, civil penalties, Critical Access Hospitals, eligible hospitals, health information blocking, Health Information Technology, meaningful use of certified EHR, Medicare, Merit-based Incentive Payment System, MIPS, MSSP, ONC, Promoting Interoperability Program, Shared Savings Program

by Margaret Young Levi, Kathie McDonald-McClure, and Drayden Burton (Wyatt Summer Associate)

On July 1, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule entitled “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking,” 89 Fed. Reg. 54662 (Final Rule) establishing “disincentives” for health care providers who commit information blocking. Importantly, the 21^st Century Cares Act explicitly delegated the authority to HHS to establish “appropriate disincentives” for information blocking through notice and comment rulemaking. 42 U.S. Code § 300jj–52(b)(2)(B). Previously, on October 23, 2023, HHS published its proposed rule seeking comments on the proposed appropriate disincentives (Proposed Rule).

In general, “information blocking” means knowingly and unreasonably interfering with, preventing, or materially discouraging the access, exchange, or use of “electronic health information” (EHI) unless such blocking is required by law or permitted by regulatory exceptions. To learn more about information blocking and the permitted exceptions, see our article “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?,” which provides an overview of the Rule’s key elements and requirements. The prohibition on information blocking went into effect on April 5, 2021, but until now did not contain any penalties for health care providers who engage in information blocking. Previously, on June 27, 2023, the HHS Office of Inspector General (HHS-OIG) established civil monetary penalties of up to $1 million per information blocking violation by developers of certified health information technology and for health information networks (HINs) and health information exchanges (HIEs). (88 Federal Register 42820).

This Final Rule adds some teeth, aiming to ensure that individuals and their health care providers always have access to the individual’s health information. Some of the comments that HHS had received to its Proposed Rule supported disincentives that incentivize an exchange of EHI across care settings on the basis that this will lead to better patient outcomes. In issuing its Final Rule HHS stated, “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients.”

The “Disincentives”

The Final Rule establishes certain “disincentives” for several categories of health care providers that HHS-OIG finds to have engaged in activities that interfere with or prevent access to EHI that constitute information blocking. These disincentives are as follows:

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

June 11, 2024July 2, 2024 Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA Breach Notification, cybersecurity, Electronic Health Records, FTC Final Rule, HBNR, healthcare, personal health record, PHR, PHR identifiable health information, privacy, security, technology

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading →

Kentucky Enacts New Consumer Data Privacy Act

June 5, 2024June 13, 2024 Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws ad trackers, consumer online privacy, cybersecurity, data privacy, geolocation data, KCDPA, privacy, security, technology

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

April 25, 2024June 11, 2024 Wyatt Data Privacy & Security, HIPAA, Privacy & Security abortion, confidentiality of sud records, HIPAA, notice of privacy practices, NPP, OCR, Part 2, reproductive health, substance use disorder (SUD)

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities: